US10133865B1ActiveUtility

Systems and methods for detecting malware

94
Assignee: SYMANTEC CORPPriority: Dec 15, 2016Filed: Dec 15, 2016Granted: Nov 20, 2018
Est. expiryDec 15, 2036(~10.4 yrs left)· nominal 20-yr term from priority
G06F 2221/034G06N 3/084G06N 3/045G06F 21/56G06N 3/0455G06N 3/08G06N 3/04G06N 3/0499G06N 3/09
94
PatentIndex Score
29
Cited by
9
References
17
Claims

Abstract

The disclosed computer-implemented method for detecting malware may include (1) identifying a plurality of programs represented in machine code, (2) deriving a plurality of opcode n-grams from opcode sequences within the plurality of programs, (3) training an autoencoder by using the plurality of opcode n-grams as input, (4) discovering a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams, and (5) classifying a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program. Various other methods, systems, and computer-readable media are also disclosed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method for detecting malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
 identifying a plurality of programs represented in machine code; 
 deriving a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs; 
 training an autoencoder by using the plurality of opcode n-grams as input; 
 discovering a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; and 
 classifying a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 initializing a neural network with the set of features discovered within the autoencoder; 
 training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and 
 classifying the potentially malicious program using the trained neural network. 
 
 
     
     
       2. The computer-implemented method of  claim 1 , further comprising performing a security action on the potentially malicious program based on classifying the potentially malicious program as malicious. 
     
     
       3. The computer-implemented method of  claim 1 , wherein using the set of features discovered within the autoencoder to analyze the potentially malicious program comprises:
 extracting the set of features discovered within the autoencoder from the potentially malicious program; and 
 providing the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder. 
 
     
     
       4. The computer-implemented method of  claim 1 , wherein the plurality of opcode n-grams comprises machine code opcodes and not mnemonic-based instructions. 
     
     
       5. The computer-implemented method of  claim 1 , wherein the plurality of opcode n-grams comprises opcodes without accompanying operands. 
     
     
       6. The computer-implemented method of  claim 1 , deriving the plurality of opcode n-grams from the plurality of programs comprises excluding a subset of opcodes from the plurality of opcode n-grams. 
     
     
       7. The computer-implemented method of  claim 1 , wherein deriving the plurality of opcode n-grams from the plurality of programs comprises extracting a plurality of opcodes from a program within the plurality of programs without mapping the opcode to a mnemonic instruction. 
     
     
       8. A system for detecting malware, the system comprising:
 an identification module, stored in memory, that identifies a plurality of programs represented in machine code; 
 a derivation module, stored in memory, that derives a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs; 
 a training module, stored in memory, that trains an autoencoder by using the plurality of opcode n-grams as input; 
 a discovery module, stored in memory, that discovers a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; 
 a classification module, stored in memory, that classifies a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 initializing a neural network with the set of features discovered within the autoencoder; 
 training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and 
 classifying the potentially malicious program using the trained neural network; and 
 
 at least one physical processor configured to execute the identification module, the derivation module, the training module, the discovery module, and the classification module. 
 
     
     
       9. The system of  claim 8 , wherein the classification module further performs a security action on the potentially malicious program based on classifying the potentially malicious program as malicious. 
     
     
       10. The system of  claim 8 , wherein the classification module uses the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 extracting the set of features discovered within the autoencoder from the potentially malicious program; 
 providing the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder. 
 
     
     
       11. The system of  claim 8 , wherein the plurality of opcode n-grams comprises machine code opcodes and not mnemonic-based instructions. 
     
     
       12. The system of  claim 8 , wherein the plurality of opcode n-grams comprises opcodes without accompanying operands. 
     
     
       13. The system of  claim 8 , wherein the derivation module derives the plurality of opcode n-grams from the plurality of programs by excluding a subset of opcodes from the plurality of opcode n-grams. 
     
     
       14. The system of  claim 8 , wherein the derivation module derives the plurality of opcode n-grams from the plurality of programs by extracting a plurality of opcodes from a program within the plurality of programs without mapping the opcode to a mnemonic instruction. 
     
     
       15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
 identify a plurality of programs represented in machine code; 
 derive a plurality of opcode n-grams from opcode sequences within the plurality of programs, each opcode n-gram within the plurality of opcode n-grams representing a sequence of opcodes extracted from a program within the plurality of programs; 
 train an autoencoder by using the plurality of opcode n-grams as input; 
 discover a set of features within the autoencoder after training the autoencoder, each feature within the set of features comprising a linear combination of opcode n-grams from the plurality of opcode n-grams; and 
 classify a potentially malicious program as malicious by using the set of features discovered within the autoencoder to analyze the potentially malicious program by:
 initializing a neural network with the set of features discovered within the autoencoder; 
 training the neural network with supervision using a training set labeled to indicate whether each sample within the training set is malicious; and 
 classifying the potentially malicious program using the trained neural network. 
 
 
     
     
       16. The non-transitory computer-readable medium of  claim 15 , wherein the one or more computer-readable instructions further cause the computing device to perform a security action on the potentially malicious program based on classifying the potentially malicious program as malicious. 
     
     
       17. The non-transitory computer-readable medium of  claim 15 , wherein the one or more computer-readable instructions cause the computing device to use the set of features discovered within the autoencoder to analyze the potentially malicious program by causing the computing device to:
 extract the set of features discovered within the autoencoder from the potentially malicious program; and
 provide the extracted set of features as input to a machine learning classifier previously trained according to the set of features discovered within the autoencoder.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.